The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday added a lately disclosed safety flaw impacting Broadcom VMware Aria Operations to its Identified Exploited Vulnerabilities (KEV) catalog, citing lively exploitation within the wild.
The high-severity vulnerability, CVE-2026-22719 (CVSS rating: 8.1), has been described as a case of command injection that might permit an unauthenticated attacker to execute arbitrary instructions.
“A malicious unauthenticated actor could exploit this challenge to execute arbitrary instructions, which can result in distant code execution in VMware Aria Operations whereas support-assisted product migration is in progress,” the corporate mentioned in an advisory launched late final month.
The shortcoming was addressed, alongside withCVE-2026-22720, a saved cross-site scripting vulnerability, and CVE-2026-22721, a privilege escalation vulnerability that might end in administrative entry. It impacts the next merchandise –
- VMware Cloud Basis and VMware vSphere Basis 9.x.x.x – Fastened in 9.0.2.0
- VMware Aria Operations 8.x – Fastened in 8.18.6
Prospects who can’t apply the patch instantly can obtain and run a shell script (“aria-ops-rce-workaround.sh”) as root from every Aria Operations Digital Equipment node.
There are at the moment no particulars on how the vulnerability is being exploited within the wild, who’s behind it, and the dimensions of such efforts.
“Broadcom is conscious of experiences of potential exploitation of CVE-2026-22719 within the wild, however we can’t independently verify their validity,” the corporate famous in an replace to its bulletin.
In gentle of lively exploitation, Federal Civilian Govt Department (FCEB) companies are required to use the fixes by March 24, 2026.
